-..~“-1- -..- -..--~ ..-- 91II ly I!~!~0 FINANCIAL MARKETS Oversight of Automation Used to Clear and Settle Trades Is Uneven 141773 _I__--.___ .-_____-.-~-_. --- <;hOjlM’I’E(:-!)O-~7 United States General Accounting Office Washington, D.C. 20648 Information Management and Technology Division B-238887 July 12, 1990 The Honorable John D. Dingell Chairman, Committee on Energy and Commerce House of Representatives The Honorable E (Kika) de la Garza Chairman, Committee on Agriculture House of Representatives The Honorable Henry B. Gonzalez Chairman, Committee on Banking, Finance and Urban Affairs House of Representatives The Honorable Patrick J. Leahy Chairman, Committee on Agriculture, Nutrition, and Forestry United States Senate The Honorable Donald W. Riegle, Jr. Chairman, Committee on Banking, Housing, and Urban Affairs United States Senate This report is a follow-up to the work we did immediately after the October 1987 market crash.’ It assessesthe role played by federal regu- lators and financial organizations in developing and maintaining a strong foundation of oversight for automated systems vital to the post- trade processingof stock, options, and futures transactions.’ Generally speaking, post-trade processingactivities-referred to as the clearance and settlement process- encompasseverything from double-checking and confirming the terms of a transaction to paying for and delivering the traded financial instrument. Organizations, commonly referred to as clearinghouses,clear and settle trades and rely extensively on auto- mated systems to do so. These automated clearinghouse systems are essential to the daily processingof transactions worth billions of dollars and play a critical role in ensuring that market participants receive ‘See Financial Markets: Preliminary Observations on the October 1987 Crash (GAO/GGD-88-38, Jan. 26, 1988). ‘The term “options” is used in this report to mean stock options, not options on futures contracts. Page 1 GAO/lMTEG9O-47 Oversight of Clearinghouses’ Automation Is Uneven B-233337 timely clearance and settlement services.Serious problems with auto- mated systems could disrupt a clearinghouse’soperations severely enough to threaten the integrity and stability of the financial markets. This review includes an assessmentof the automated systems’ oversight role played by the following three federal regulatory agencies-the Securities and Exchange Commission(SEC) for stock and options clear- inghouses,the Commodity Futures Trading Commission(CFTC)for futures clearinghouses,and the Federal ReserveSystem for stock clear- inghousesthat act and are referred to as depositories. We also reviewed certain systems oversight practices used by five major clearinghouses that account for at least 80 percent of the transactions in the stock, options, and futures markets. The five clearinghouseswere the National Securities Clearing Corporation and the Depository Trust Company for stocks; the Options Clearing Corporation for options; and the Board of Trade Clearing Corporation and the Chicago Mercantile Exchange Clearing HouseDivision for futures contracts. Specifically, this report evaluates the level of regulatory oversight pro- vided to automated clearanceand settlement systems (1) at the time clearing organizations register with a regulator seeking authority to per- form clearinghouse functions; (2) when clearing organizations seek regu- latory approval of proposed rules that implement or modify operating policies and procedures; and (3) during periodic regulator inspections or examinations of clearinghouseoperations. In addition, this report assesseswhether clearinghouses’self-review practices include per- forming systems and facilities risk assessments,:1 conducting comprehen- sive internal audit reviews of automated systems and operations, and utilizing annual external audit reviews of clearinghousedata processing. Details of our objectives, scope,and methodology are included in appendix I. Results in Brief To maintain orderly and properly functioning markets, automated clear- ance and settlement systems must operate smoothly. In this connection, the automated systems of the five clearinghousesin our review per- formed reasonably well in processingtrades during the October 1987 and 1989 market declines. However, given the important role clearing “A risk assessment is an analysis of the weaknesses associated with operating a computer system and its facilities. It is performed to determine how security resources can be cost effectively deployed to minimize potential loss. Such analyses should be conducted prior to approval of a system’s design specifications, whenever a significant installation change occurs, and at periodic intervals established by the organization. Page 2 GAO/KMTEG9O-47 Overnight of Clearinghouses’ Automation Is Uneven . 8288887 organizations play in the financial markets and the extent to which they rely on automation, strong systems oversight is neededby the federal regulators and the clearinghousesto ensure that these automated clear- ance and settlement systems are continuously able to processtrades in a prompt and accurate manner. We found that the Federal ReserveSystem has established and followed reasonableprocedures for overseeingautomated clearinghouse systems. Conversely, we found that the primary federal regulatory agencies-SEC and cmc-have not established strong oversight practices to help ensure that automated clearance and settlement systems provide timely and reliable services.Specifically, neither SECnor CFTCperformed tech- nical assessmentsof clearinghouse computers during registration, rule review, and inspection processes.We also found that SEChas established detailed registration standards designedto ensure the soundnessof automated clearinghouse systems, but has not enforced one of its stan- dards requiring clearinghousesto perform risk assessmentsof their automated systems and facilities. CFTChas not issued such systems over- sight standards for the futures clearinghouses.In this regard, both regu- lators attribute their inadequate level of oversight in this area to having insufficient staff with the requisite expertise to review automated sys- tems. Since the close of our review, each regulator has taken steps to increase its oversight of automated clearinghouse systems. SECand CFTCofficials believe their insufficient systems oversight is miti- gated by the clearinghouses’oversight of their own systems. However, we also found, to varying degrees,gaps in this “self-regulatory” over- sight. For example, none of the five clearinghouseswe reviewed per- formed formal, fully documented or complete assessmentsof the risks associatedwith operating their computer systems and facilities, even though three of these clearinghousesare required by SECto do so. In addition, one futures clearinghouse we reviewed lacked an internal audit function to assessthe clearinghouse’sdata processingoperations and controls. Another futures clearinghouse had an internal audit function, but lacked staff with the requisite skills to conduct computer system reviews. Limited federal oversight of these systems, coupled with gaps in the self-regulatory oversight provided by the clearinghouses,indicates that the regulators and clearinghousesare not doing all they should to detect and avoid problems associatedwith operating automated systems. Con- sequently, there is increased and unnecessaryrisk that these systems will not be consistently able to processtrades promptly and accurately, Page 3 GAO/IMTEG90-47 Oversight of Clearinghouses’ Automation Is Uneven B-233337 which reducesthe integrity of the nation’s stock, options, and futures markets. Accordingly, this report contains recommendationsthat (1) SECand CFTC increase their oversight of automated clearinghousesystems in the stock, options, and futures markets; (2) SIX ensure full compliance with its risk assessmentstandard for stock clearinghouses;(3) CIWCestablish standards for the futures clearinghousesto follow in implementing com- prehensive systems review programs; and (4) CFTCfollow-up to ensure that weaknessesat the futures clearinghousesare resolved. Clearanceand settlement takes place after trades have been executed on Background an exchange.Clearanceinvolves collecting and matching data from traders who buy and sell financial instruments. Clearanceis important because,after buyers’ and sellers’ trades are successfully matched, they are guaranteed by the clearinghouse in the event parties to the transac- tions do not honor their financial obligations. Settlement is the process whereby the parties to a trade exchangefunds for stock, options, or futures contracts. Clearinghousesperform the clearance and settlement functions. They rely heavily on computers, using them to: (1) receive trade information from buyers and sellers via computer-to-computer links; (2) match cer- tain information from traders-such as price and quantity-to confirm the terms of each trade; (3) calculate the amounts owed by and due to the traders and net these amounts to arrive at one total amount traders owe or should receive; and (4) transfer, in the caseof stock, these instru- ments from the selling traders’ accountsto buying traders’ accounts via a computerized book-entry system. Clearinghousecomputers handle on a daily basis hundreds of thousands of trades, worth billions of dollars. For example, in 1988, the National Securities Clearing Corporation- which clears 96 percent of the stock transactions in this country- processedon an average daily basis over 250 million shares of stock worth approximately $13 billion. Three federal agencies- SEC,CFTC,and the Federal ReserveSystem- have responsibilities for regulating and overseeingclearinghouse activi- ties. Specifically, theSecurities ExchangeAct (16 U.S.C.79a-7811) directs SECto overseethe activities of the stock and optionh clearing- houses.Under the act, the Federal ReserveSystem serves as the pri- mary regulator of a small number of stock depository clearinghouses, such as the Depository Trust Company, that are organized and operated Page 4 GAO/lMTECBO-47 Oversight of Clearinghouses’ Automation Is Uneven as banks. As a result, the Federal ReserveSystem and SECcoordinate their oversight of stock depositories; the Commissiongenerally handles registration and rule reviews while the Federal Reserveinspects deposi- tory operations. For futures contracts, CFTCunder the Commodity Exchange Act (7 U.S.C. 1 et seq.) overseesthe futures clearinghouses. The oversight responsibilities of these three federal regulators includes automated systems to the extent that such systems are used to process the clearance and settlement of stock, options, and futures transactions. In accordancewith these laws, the three federal regulators have estab- lished procedures to overseethe operations of the clearinghouses.The Federal ReserveSystem’s primary means of overseeingthe depositories consists of annual examinations of each depository’s financial and com- puter operations. SECoversight efforts consist primarily of (1) requiring clearinghousesto register with the Commission so that SECcan ensure that each clearinghouse has the capacity to act as such an organization; (2) conducting reviews of proposed operating procedures-called rules-to ensure their consistency with applicable regulations and laws; and (3) inspecting periodically selectedclearinghouse operations and controls to ensure they are efficient, safe, and designedto detect weak- nessesthat could causefinancial loss to the organization, its members, or the public. CFTCoversight primarily includes rule reviews and peri- odic inspections, which are similar in form to those performed by SEC. Active federal oversight of the stock, options, and futures clearing- Federal Regulators’ houses’use of computers is critical in assessingwhether clearance and Oversight Is settlement can be accomplished in a prompt and accurate manner. In Incomplete this connection, it would be prudent and consistent with their oversight responsibilities for the regulators to include technical assessmentsof clearinghouse automated resourcesas an integral element in established oversight activities. Such assessmentscould include providing assur- ancesthat (1) systems have the capacity to support timely operations under normal and high-volume conditions; (2) controls are in place to prevent unauthorized accessand the misuse of automated systems; (3) systems are able to provide continuous service in the event of equip- ment and software failures, natural disasters, and intentional malicious acts; and (4) controls are established to ensure that the systems’ hard- ware, software, and communications perform as intended. Results of our review show that regulatory oversight in the above-men- tioned areas is incomplete. While the Federal ReserveSystem includes technical computer assessmentsas part of its examinations of stock Page 5 GAO/IMTEG9047 Oversight of Clearinghouses’ Automation Is Uneven , _*_ B-228667 depository operations, we found a lack of direct systems oversight pro- vided by SECand CFTCduring their established registrations, rule reviews, and inspections. This inadequate level of SECand CFTCoversight hampers their ability to effectively overseeclearance and settlement in these financial markets. Registration Process By law, SECis required to ensure that stock and options clearing organi- Weaknesses zations have the capacity to facilitate the prompt and accurate clear- ance and settlement of securities transactions.-’Our work disclosed, however, that during the registration processSECdoes not directly per- form technical assessmentsof the computer systems the organizations have in place or propose to use. Instead, responsible SECofficials informed us that they rely on (1) written representations provided by the prospective clearinghouse describing the capability of its computer systems, and (2) assessmentsperformed by external, independent audi- tors employed by the clearinghouse to review its operations. We also found CFX does review clearinghouse operations when the Com- mission considers futures exchanges’requests to trade new contracts, and has certain financial standards the clearing organizations must adhere to in order to operate in this capacity. However, the Commission has provided no formal guidance to those organizations detailing the need for management controls over the use of automated systems. CFTC also does not conduct technical assessmentsof the clearinghouses’auto- mated systems prior to authorizing the entities to commenceoperations. Gaps in SEC’sand CF’TC’s From time to time, clearing organizations submit proposed rule changes Rule Reviews to SECand CFTCfor approval, including related processingchanges affecting clearance and settlement systems. Although both SEC and CFTC have established procedures for approving clearing organizations’ pro- posed rule changes,neither organization directly performs technical assessmentsof rules involving the use of automated systems to perform clearance and settlement functions. Rather, SECand CFTCgenerally review the financial and legal consequences,as opposedto the technical ramifications, of using such systems. CFTC,becauseit usesinformation provided by clearinghouse computer systems for regulatory purposes, does perform limited software testing of certain automated systems during rule reviews to ensure the accuracy of the data produced. 416 USC. 7&-l(b)(3). Page 6 GAO/IM’I’EiG9647 Oversight of Clearinghouses’ Automation Is Uneven . 4 B-228887 Over the past 3 years, 59 rules (48 by SECand 11 by CFTC)involving computer systems or enhancementshave been approved by SECand CFTC without complete technical assessmentsof the computer-related implica- tions of these rules. The 48 rules approved by SECrepresent over 40 percent of the three securities clearinghouses’rules SECprocessedduring this period. The 11 rules approved by CITC account for approximately 10 percent of the 2 futures clearinghouses’rules processedby CFTCover this sameperiod. The rules approved by SECinvolved, for example, the use of systems to (1) enhancethe National Securities Clearing Corpora- tion’s trade comparison system, and (2) automate the Depository Trust Company’s processfor settling trades between financial institutions in this country and abroad. The rules approved by CFTC,for example, included the use of automated systems by the Chicago Mercantile Exchange to compare trades upon execution and determine funds required to secure futures contracts. These automated systems and the clearance and settlement processesthey support are critical to the prompt and accurate processingof transactions in these financial markets. Weaknessesin the Regarding the extent to which the federal regulators included reviews of Regulators’ Inspections computer systems in their inspections, we found that the Federal ReserveSystem assessedcomputer systems, and SECand CFTCdid not. During its past three annual examinations at the Depository Trust Com- pany, the Federal ReserveSystem evaluated the depository’s computer systems in such areas as data integrity, information resourcesmanage- ment, teleprocessing,physical security over systems and programming, computer operations, and contingency and disaster recovery planning. Further, the Federal ReserveSystem examiners also reviewed audits conducted by the depository’s internal audit staff and external indepen- dent auditors to identify possible computer system weaknessesand to assessthe status of corrective actions. Such efforts have helped to strengthen the depository’s data processingactivities. With regard to SECand CFTC,we found that the inspections conducted by the commissionsrarely included automated systems in the scopeof the work performed. Rather, we found that their inspections generally cov- ered areas involving the financial and legal risks associatedwith oper- ating the clearinghouse, such as the adequacy of risk management procedures, the sufficiency of clearing fund contributions, and the appropriateness of procedures for the financial surveillance of clearing- house members. Page 7 GAO/IMTEC-9047 Oversight of Clearinghouses’ Automation Is Uneven IS238837 Effect of Incomplete ResponsibleSECand CFTCofficials stated that their agenciesgenerally Federal Systems Oversight exclude computer systems from oversight becausethey lack sufficient staff with the expertise to perform technical assessmentsof these sys- tems. This inadequate federal oversight of the automated systems used by the clearinghousesimpairs their ability to effectively overseeclear- ance and settlement in these three markets. It also increasesthe risk that system weaknesseswill not be consistently detected or will go undetected. We examined clearinghouseoperations to identify whether these organi- Gaps Exist in the zations used certain critical managementcontrol practices to overseethe Clearinghouses’ Self- use of automated clearance and settlement systems. While oversight Oversight Efforts may include numerous steps, we evaluated the following three basic practices: (1) the performance of periodic risk assessmentsof automated data processing(ADP) systems and facilities; (2) the establishment of an adequately and competently staffed internal audit department capable of reviewing computer systems and acting as an independent level of review over the clearinghouse’sinternal accounting controls; and (3) the use of independent external reviews of an organization’s system of internal controls, including a review of general and application controls5 During our review, we found that SEC has issued thorough and detailed standards requiring stock and options clearinghousesto institute and maintain such practices over their operations and computer systems.” These standards provide a good framework for clearing organizations to follow in proactively identifying and correcting computer weaknesses. Our review disclosed,however, that the clearinghousesdid not always use these critical managementcontrols. Specifically, table 1 shows the stock, options, and futures clearinghousesin our review and their use or lack of certain managementcontrols over automated systems. “Internal controls used to protect and safeguard computer systems are categorized as general and application controls. General controls are those that are normally applicable to all data processing being performed within an installation. Application controls apply to individual computer systems and are designed to, among other things, ensure the reliability of information to be processed, the accuracy of data input, the integrity of data processing, and the verification and distribution of data output, An evaluation of application controls should be integrated with an evaluation of general con- trols to ensure that weaknesses in general controls do not adversely affect any applications processed. ‘See Securities Exchange Act of 1934 Release No. 16900, June 17,1980, Announcement of Standards for the Registration of Clearing Agencies. Page 8 GAO/lMTEG9O-47 Oversight of Clearinghouses’ Automation Is Uneven . B-238997 Table 1: Stock, Options, and Futures Clearinghouses’ Computer Oversight Practices Critical Systems Oversight Practices Internal Audit Function External Audits Formal ADP risk Has ADP General Application Clearinghouse assessments Function exists expertise controls controls Stock,. and Options ^__. .-._I .- __-. ._. .-- . .- National Secuntles Cleanng Corporation No Yes Y&S Yes Yes bepo&ory Trust Company No Yes Yes Yes Yes Optlons Clearing Corporation No Yes Yes Yes Yes Futures Board of Trade Clearing Corporation --.-_____ No No No Yes No Chicago Mercantile Exchange No Yes No Yes No Stock and St.nrk 2 Options As shown in table 1, the stock and options clearinghouseshad, in com- Clearinghouse Compliance pliance with SEC standards, (1) established internal audit functions with ADPexpertise that conduct clearinghouse computer reviews and With Critical Oversight (2) engagedexternal auditors to perform independent reviews of the Practices clearinghouses’systems of internal controls, including general and appli- cation controls. However, we found that none of the clearinghousesper- formed formal or complete assessmentsof the risks associatedwith operating their computer systems and facilities. In addition, we found that SEC did not determine whether these clearinghouseswere per- forming these ADP assessments. Stock and options clearinghouse officials informed us that they are com- fortable with their current ADP risk assessmentprocesses.Specifically, the Depository Trust Company, which most closely adheresto federal risk assessmentstandards, reviews ADP risks as part of its day-to-day operational and audit activities and also performs an annual review of its financial, operational, and ADP risks. The Options Clearing Corpora- tion relies primarily on its internal audit department; the department conducts an assessmentof the company’s audit areas and ranks and documents them to identify high-risk areas that it plans to review during the upcoming year. The National Securities Clearing Corporation informally assesseson an ongoing basis the risks associatedwith using their computer systems. We found, however, that these clearinghouse efforts do not always include certain risk assessmentcomponents such as (1) evaluating all threats and contingenciesclearinghouse systems and facilities are exposedto; (2) estimating the dollar value of potential lossesassociatedwith such threats and contingencies;and (3) having a Page 9 GAO/IMTEG90-47 Oversight of Clearinghouses’ Automation Is Uneven formal processfor conducting such assessments,documenting work results, and reporting them to management. Futures Clearinghouse Likewise, the futures clearinghousesdid not perform formal risk assess- Compliance With Critical ments and also lacked the use of other basic managementcontrol prac- tices. Specifically, the Board of Trade Clearing Corporation does not Oversight Practices have an internal audit function, while the Chicago Mercantile Exchange’sinternal audit staff doesnot have the requisite expertise to perform audits of its automated systems. Further, while both futures clearinghouseshad financial audits performed by independent auditors, the scopeof these reviews only covered general controls over their com- puter systems, and excluded reviews of the adequacy of application con- trols. Without assessingapplication controls, clearinghouseshave less assurancethat controls critical to the recording, processing,and reporting of essential data are working. Futures clearinghouseofficials stated that CFTCdoes not require them to adhere to or implement such oversight measuresbut that they do volun- tarily assessADP risks on an informal, ongoing basis without formally documenting work results. Regarding their lack of internal ADP audits, futures clearinghouse officials told us they have other units within their operations perform this function. Specifically, the Chicago Mercantile Exchange has one staff person in its computer operations division that performs audits of computer backup and recovery processes,while the Clearing Corporation usesstaff from its quality assurancefunction to perform reviews of automated systems under development. With regard to external systems reviews, these officials acknowledged that their financial auditors do not review all application controls but noted that they had external auditors perform periodic reviews of selected areas which they believe enablesthem to sustain a strong internal controls environment. Effect of Incomplete Without performing complete assessmentsof ADP risks and formalizing Clearinghouse Systems the review processfor such assessments,the clearinghouseshave incom- plete assurancethat their managementand boards are receiving the nec- Oversight essary information to select adequate, cost effective controls commensurate with the organizations’ ADP risks. In addition, the futures v clearinghouses’use of computer operations personnel as internal ADP auditors impairs the ability of such staff to act as an independent, objec- tive level of review in evaluating the clearinghouses’automated systems and controls. In this regard, at both futures clearinghousesthe computer Page10 GAO/IMTEG30-47 Oversightof Clearinghouses’ AutomationIs Uneven \ B-233887 operations personnel were not independent of the officials responsible for the operations they reviewed, and the scopeof their work was lim- ited in that it excluded critical data processingareas such as capacity planning and physical security. To be of maximum usefulness,internal auditors should be independent of the officials whose activities they review, and the scopeof their work should extend to all clearinghouse activities and related managementcontrols. Further, the futures clear- inghouses’ practice of using external auditors to review only general controls provides these organizations with limited assurancethat sys- tems and controls are adequate. These existing gaps in the clearinghouses’oversight increase the risk that automated system weaknesseswill not be consistently detected or will go undetected. In this connection, at each of the five clearinghouses in our review, we conducted a limited assessmentand tour of the auto- mated systems and facilities. At four of the clearinghouses,we did not uncover any material problems. However, at one clearinghouse we did identify someweaknessesin such areas as physical security and con- tinuity of operations. These included weak accesscontrols to the com- puter room and a lack of an uninterruptible power supply to the computer room. Weaknessessuch as these reduce the strength of the clearinghouse’ssystem of internal controls. Officials of this organization have already taken action to correct someof the weaknessesand are looking at ways to addressthe others. Proactive oversight by the federal regulators and the clearinghousesis Conclusions and essential to (1) assesswhether these systems have sufficient capabilities Recommendations and controls in place to processtrades in a prompt and accurate manner, and (2) keep these organizations and their computer systems free of problems, especially during volatile market activity. The limited federal oversight of these systems, coupled with gaps, to varying degrees,in the self-regulatory oversight provided by the clearinghouses,indicates that these parties are not taking all necessarysteps to detect and avoid problems associatedwith operating automated systems. Such actions are critical to ensure these systems will be able to processtrades promptly and accurately, especially during stressful market periods. Accordingly, to strengthen systems oversight in this area, we recom- mend that the chairpersons of SECand CFTCimplement the following actions: Page 11 GAO/IMTEG9047 Oversight of Clearinghouses’ Automation Is Uneven . < B-238887 l Both should allocate the necessaryresourcesto establish the capability to assessthe efficient and safe use of automation in the clearance and settlement process.This capability could be included within the agen- cies’ existing oversight processes,such as inspections and rule reviews. . SECshould strengthen enforcement of its clearinghouseregistration stan- dards by ensuring that clearinghouses,as part of their annual risk man- agement programs, perform risk assessmentsof their automated systems and facilities. . CFTCshould establish regulatory standards for the futures clearing- housesdetailing prudent managementpractices to be used in developing and implementing comprehensiveand thorough systems review pro- grams, and the Commissionshould ensure that the clearinghouses adhere to such guidance. CFE should follow up on the weaknessesidentified at the futures clear- l inghousesto ensure they are satisfactorily resolved. We orally discussedthe contents of this report with senior officials from Agency Comments and the three regulatory agenciesand the five clearinghouses.Two regula- Our Evaluation tory agencies-s= and cmc-also provided formal written responsesto our report which are contained in appendixes II and III, respectively. As a whole, these eight organizations generally agreed with the facts and contents of our report, and we have incorporated their comments where appropriate. In this regard, CFTCand SEChave recently taken steps to increase their oversight of the automated systems used by the futures and securities clearinghouses. Since the close of our review, CFTCestablished an interagency task force of computer experts in May 1990 to advise the Commissionon how automation assessmentsshould be incorporated into its oversight efforts. This task force will also addressthe need to provide automated systems oversight standards to the futures clearing organizations. Fur- ther, CFTChas recently authorized staff from its Office of Information ResourcesManagement(OIRM) to perform technical assessmentsof auto- mated systems as part of the Commission’sestablished inspections of clearinghouse activities, and OIRMstaff recently began to conduct such reviews. With regard to improved systems oversight by SEC,the Com- mission has established an automation review group and is planning to staff it with personnel with the expertise to provide technical assistance in identifying clearinghouse system weaknessesduring registration, rule review, and inspection processes. Page 12 GAO/lMTEC-90-47 Oversight of Clearinghouses’ Automation Is Uneven We believe the recent initiatives by SECand CFTCrepresent good first steps in strengthening the commissions’oversight processesfor reviewing automated systems used by stock, options, and futures clear- inghouses.However, becausethese initiatives have been recently imple- mented, it is too early to assesstheir effectiveness. We are providing copies of this report to other interested members of Congress,executive branch agencies,and the public. We will also make copies available to others upon request. This work was performed under the direction of Howard G. Rhile, Director, General Government Information Systems,who can be reached at (202) 2’75-3455.Other major contributors are listed in appendix IV. Ralph V. Carlone Assistant Comptroller General Page 13 GAO/IMTEG90-47 Oversight of Clearinghouses’ Automation Is Uneven Contents Letter Appendix I 16 Objectives, Scope,and Methodology Appendix II 18 Comments From the Securities and Exchange Commission Appendix III Comments From the Commodity Futures Trading Commission Appendix IV 24 Major Contributors to This Report Table Table 1: Stock, Options, and Futures Clearinghouses’ 9 Computer Oversight Practices Abbreviations ADP automated data processing CFTC Commodity Futures Trading Commission GAO General Accounting Office IMTEC Information Management and Technology Division OIRM Office of Information ResourcesManagement SEC Securities and Exchange Commission Page 14 GAO/IMTEGBO-I7 Overnight of Clearinghouse@’ Automation Is Uneven Page 15 GAO/IMTJ3C9O47 Oversight of Clearinghouses’ Automation Is Uneven . Appendix I Objectives,Scope,and Methodology We undertook this study to determine the extent of oversight provided to computer systems used to clear and settle trades made in the U.S. stock, options, and futures markets. Specifically, we assessedthe over- sight provided by the federal regulators and clearinghousesto reduce the risks associatedwith operating such systems. These topics were selected for review for three reasons.First, computers form the back- bone of the clearance and settlement processesin that they are essential to the orderly clearance and settlement processingof the large number of stock, options, and futures trades executed daily in these markets. Second,clearance and settlement plays a major role in these markets- financial and operational problems in this area during the October 1987 stock market crash threatened the entire US. financial system, according to a presidential task force established to study the event.i Third, during our review of the 1987 stock market crash, we found a lack of federal oversight of the automated trading systems. We conducted our audit work at five clearance and settlement organiza- tions: the National Securities Clearing Corporation; the Depository Trust Company; the Options Clearing Corporation; the Chicago Mercantile Exchange’sClearing House Division; and the Board of Trade Clearing Corporation. These organizations were selectedfor review becausethey clear and settle a large majority of the stock, options, and futures trans- actions in this country. The objectives of our review were to assess(1) the role of federal regu- lators in reviewing the use of computer systems in the clearance and settlement processes,and (2) the adequacy of management control prac- tices that the clearinghousesuse to review their own automated clear- ance and settlement systems. For our first objective, we determined the level of oversight provided by the three federal regulators-SEC, CFTC, and the Federal ReserveSystem-in established regulatory and over- sight processes:registration, rule reviews, and inspections. We also ascertained whether the regulators had issued systems oversight gui- dance to the clearinghouses,and if so, whether compliance with such guidance was routinely enforced. For our secondobjective, we identified three generally acceptedmanagementcontrol practices in order to have effective system oversight, and reviewed clearinghouses’operations to determine the extent of their compliance. These critical management controls are (1) conducting risk assessmentsof computer systems and facilities; (2) establishing an internal audit function capable of ‘See Presidential Task Force on Market Mechanisms, Report to the President of the United States, [Brady Report], Jan. 1988. Page 10 GAO/IMTES90-47 Oversight of Clearinghouses’ Automation Is Uneven . , Appeudlx I Objectlvea, Scope, and Methodology reviewing computer systems and controls; and (3) engagingexternal, independent reviews of clearinghouse data processingactivities, To understand the role that the responsible federal regulators play in overseeingautomated clearance and settlement systems, we obtained supporting documentation and interviewed federal regulatory officials at SEC,CFTC,and the Federal ReserveSystem headquarters to determine their responsibilities, including how they review the clearinghouses’use of computers. We also held discussionswith those staff at SEC and CFTC regional offices in New York and Chicago, and at the Federal Reserve Bank in New York, who participate in overseeingthe stock, options, and futures clearinghousesincluded in our review. In addition, we reviewed the inspections and examinations that the federal regulators performed at the clearinghousesover the past 3 years to determine the extent to which computer-related areas are included in their oversight. During our assessmentof the oversight provided these systems by the clearinghouses,we interviewed the organizations’ internal auditors, if the entity had such a group, and external certified public accountants. We also reviewed the internal and external auditors’ reports to deter- mine, among other things, the extent of oversight provided to these sys- tems. The audits we reviewed were from the period 1986 to 1988. The public accounting firms we met with included Price Waterhouse for the National Securities Clearing Corporation and the Depository Trust Com- pany; Deloitte Haskins and Sells for the Options Clearing Corporation; Arthur Andersen and Company for the Chicago Mercantile Exchange’s clearing division; and Touche Rossand Company for the Board of Trade Clearing Corporation. In addition, we reviewed and analyzed the clear- inghouses’ risk assessments,in those caseswhere they had been per- formed, to determine the extent to which the assessmentsaddressedthe risks associatedwith their computer systems and facilities used for clearance and settlement purposes. We also toured the clearinghouses’ computer operations centers. Finally, we performed a limited assess- ment of the controls used to safeguard the automated systems and facili- ties, and interviewed responsible officials concerning the extent of oversight afforded these systems. Our audit work was performed between November 1988 and February 1990, and was conducted in accordancewith generally acceptedgovern- ment auditing standards. Page 17 GAO/IMTEG90-47 Oversight of Clearinghouses’ Automation Is Uneven t Appe ndix II 4 CommentsFrom the Securitiesand ExchangeCommission UNITED STATES SECURITIES AND EXCHANGE COMMISSION WASHINGTON. DC. 20549 May 29, 1990 Ralph V. Carlona Assistant Comptroller General General Government Programs General Accounting Office 441 G Street, N.W. Washington, D.C. 20548 Re: Draft Report on Automation Used to Clear and Settle Trades Dear Mr. Carlone: This is in response to a request for comments on a report ("ReportO*) of the General Accounting Office (llGAOII) entitled oved Oversiaht Needed for Automation Used to Clear and $%le Tradea. Generally, the Report finds that the automated systems of the five clearinghouses under review performed satisfactorily in processing trades during the October 1987 and 1989 market declines. The Report also notes that the Securities and Exchange Commission's (llSEC" or "Commission") thorough and detailed registration standards provide a good framework for clearing organizations to follow in proactively identifying and correcting computer weaknesses. We expect that rigorous enforcement of these standards, in conjunction with recent initiatives by the SEC in the area of automation, will enhance our ability to oversee clearinghouse automated data processing ("ADP") systems and will further increase the safety and efficiency of these systems. Nevertheless, the Report contains a number of recommendations of additional actions which the GAObelieves the SEC or securities self-regulatory organizations (llSROs'l) should take to detect and avoid problems associated with operating ADP systems. As it relates to the Commission, the Report recommends that the Commission perform directly technical assessments of clearinghouse computer systems during established registrations, rule reviews, and inspections. In reviewing an application for registration as a clearing agency, the Division of Market Regulation ("DivisionI') applies the requirements of the Securities Exchange Act of 1934 as well as the regulatory Page 18 GAO/IMTEG90-47 Oversight of Clearinghouses’ Automation Is Uneven Appendix II Comments From the Securlties and Exchange 0xnmJssion Ralph V. Carlone Page 2 standarda referred to in the Report. u These standards require, among other things, that the clearing agency have an internal audit department adequately staffed with qualified personnel. In addition to sufficient technical training and proficiency in accounting and auditing, qualified personnel must possess expertise in the ADP application of accounting and auditing necessary to perform the internal audit functions. It is the responsibility of this department to act as a separate level of control in reviewing and evaluating the clearing agency’s system of internal accounting control, which includes ensuring the integrity and accuracy of its ADP operations, both during development and thereafter, In addition, the standards require an annual opinion report prepared by an independent public accountant based on a study and evaluation of the clearing agency's system of internal accounting control for the period since the last such report. As the Report notes, the stock and options clearing agencies have established internal audit functions and have engaged independent accountants to review the adequacy of their systems of internal controls, including general and application controls, in compliance with SEC standards. Indeed, the standards clearly contemplate that technical assessments be conducted by internal and external auditors, not the SEC. We question, therefore, whether it is an efficient allocation of resources to devote SEC staff to performing a third technical assessment when at least two other ,entities (one of which is independent) are charged with performing this function. Moreover, as a general practice, in ;zt;=fT;ion with registrations and rule filings, the Division and assures itself of the adequacy of, the clearing agency';i System8 capacity and security, as well as contingency plans the clearing agency has established relating to systems failure or sabotage. In addition, although the Report acknowledges that the Commission has established detailed registration standards designed to ensure the soundness of automated clearinghouse systems, the Report states that clearing corporations do not perform periodic risk assessments of their ADP systems as contemplated by the standards. We strongly agree that clearing corporations should perform periodic risk assessments of their automated systems. It should be noted that, in addition, although the registration standards initially served a8 guidelines for review of clearing agency registration applications, each of the clearing agencies that was the subject of the Report must continue to satisfy the requirements l/ m Securities.Exchange Act Release No. 16900 (June 17, 1980), 45 FR 41920. Page 19 GAO/IMTEGSO47 Oversight of Clearinghouses’ Automation Is Uneven Appendix II Comments From the Securities and Exchange Commission Ralph V. Carlone Page 3 set forth in the standards. 2/ It is our understanding, however, based on the considerable number of rule filings refining and enhancing clearing corporation ADP systems, that clearing corporations do, in fact, monitor and evaluate their ADP systems on a continuing basis. Nevertheless, we believe there is merit in GAO's suggestion that a formalized, scheduled review of ADP systems as contemplated in the standards be performed. Accordingly, the Division has reminded each of the subject clearing agencies of their obligation to review ADP system8 and related controls as a part of the annual review and report process. The Division will review, in conjunction with the Commission's clearing agency inspection program, implementation of this objective. The report also finds that the Federal Reserve System ("Fed") assesses computer systems during the inspection process, but that the SEC does not. It should be noted that, although depositories are registered clearing agencies under the Securities Exchange Act of 1934, as members of the Federal Reserve System, the Fed is the appropriate regulatory authority with primary oversight responsibility. Again, we believe it is appropriate to avoid duplication of regulatory effort wherever possible, so long as the financial and operational integrity of the clearing agency and its participants is not endangered as a result. We agree, however, that formalization of the ADP risk assessment at the non-depository clearing agencies would be beneficial and we will include a review of such assessments as they relate to computer systems as part of our routine inspection procedures. Given the level of required internal and independent review already in place, however, we do not believe that the Commission should expend scarce resources by hiring a large number of ADP examiners as replacement for existing examination staff qualified to review compliance with the Commission's anti-fraud, sales practice and financial responsibility regulations. In connection with the increasingly important role of automation in the securities industry, the Commission has created a new Office within the Division of Market Regulation that will produce guidelines for, and oversee, automation review at the SROs. g Priorities dictate that the focus of w &&2 Securities Exchange Act Release No. 20221 (Sept. 23, 1983), 48 FR 45167. v Prior to the establishment of this new office the Commission published for comment an Automation Review Policy (I'ARP") which states that SROs should, on a voluntary basis, establish comprehensive planning and (continued...) Page20 GAO/IMTEG9O-47Oversight ofClear@houses'AutomationIsUneven Appendix II Commenta Prom the SecurltIea and Exchange Commission Ralph V. Carlone Page 4 this Office, at least initially, be on market execution and information systems. Nevertheless, we expect that the Office will provide technical assistance to the Division on an as- needed basis and will increase our ability to oversee effectively clearing agency systems by providing the technical expertise necessary to identify systems weaknesses in connection with the registration, rule review, and inspection processes. In conclusion, the Commission appreciates the critical role that automated clearinghouse systems play in ensuring that market participants receive timely clearance and settlement services. We believe that the SEC's oversight of automated systems in the clearance and settlement area, in combination with the oversight of the SROs, is adequate to detect and resolve problems associated with operating automated systems. Moreover, with the assistance provided by the Office of Automation and International Markets, we are confident that our oversight in this area will be strengthened. We appreciate this opportunity to comment on the Report and request that a copy of this letter be appended to the Report when it is issued. Sincerely, Richard Ketchum Director a//(. .-continued) assessment programs to determine systema capacity and vulnerability. &!9=9Securities Exchange Act Release No. 27445 (November 16, 1989), 54 FR 48703. Although the Commission did not extend the ARP to clearinghouse automated systems, the Commission stated that in the future it may suggest expansion of the Policy to other SRO computer-driven support systems for, among other things, clearance and settlement, if it finds it necessary to ensure the maintenance of fair and orderly markets. m 54 FR 48703 at note 27. Page 21 GAO/IMTEG90-47 Oversight of Clearinghouses’ Automation Is Uneven Appendix III CommentsFrom the Commodity Futures 7hxtdng Commission COMMODITY FUTURES TRADINQ COMMISSION 2033 K Street. N.W.. Washington. D.C. 20581 (202)254-6970 June 1, 1990 Wendy L. Qramm Chairmari Mr. Ralph V. Carlone Assistant Comptroller General Information and Technology Division General Accounting Office 441 G Street, N.W., Room 6915 Washington, D.C. 20548 Re: Prrrft Rewort Entitled 11-roved 0v eyLhaht ' Needed fox Dear Mr. Carlone: The Commission appreciates the opportunity to comment on the draft report ("Report") of the General Accounting Office (%AO1*) entitled "Improved Oversight Needed for Automation Used to Clear and Settle Trades." The Commission fully recognizes the need to review and assess transaction-related automated systems and has made the development of effective regulatory oversight of such systems a Commission priority. This is reflected in a number of recent Commission actions. The ConVnission recently created an inter- agency task force to assist the Commission in addressing current developments concerning the review and assessment of automated eystems. The Commission also recently issued an interpretative rule regarding the retention of documentation with respect to such automated systems. 55 Fed. Reg. 17932 (April 30, 1990). In addition, the Commission's Division of Trading and Markets has begun the background work necessary to commence rulemaking to seek public comments on issues related to a review and assess- ment policy regarding automated systems. As these actions reflect, the Commission agrees that over- sight standards are appropriate for clearing organization auto- mated systems and, as GAO has acknowledged, has begun a process to formulate such standards. However, we do not believe that it is appropriate from a regulatory standpoint to insist on detailed management practices nor to specify rigid technical or systems criteria. Rather, we would incorporate compliance with overall program standards into our existing rule enforcement review programs. The Commission believes that the industry self- regulatory organizations ("SROs"), which include the futures Y exchanges and the National Futures Association, should have some flexibility to determine the mix of measures for review Page 22 GAO/IMTJ3G9O47 Oversight of Clearinghouses’ Automation Is Uneven Appends CommentsPromtheCommodlty Futures TradingConunh4eion Mr. Ralph V. Carlone Page 2 and backup of systems consistent with the number and types of transactions cleared, the processing design, and the applicable timeframes for clearing and settling transactions. The GAO'8 comments in this area will be given careful consideration as we continue to enhance existing procedures and at the same time care- fully analyze the cost, benefits and risks associated with the regulatory process. With respect to allocating resources to assess the SROs' use of computers in the clearance and settlement process, as the Report acknowledges, the CFTC has authorized its Office of Infor- mation Resources Management (nOIRM'O) to perform technical aeaeee- ments of automated systems as part of the Commission's regular exchange oversight program and OIRM staff have begun conducting such reviews. We believe, however, that issues concerning the scope of such reviews and the extent of the resources allocated to conduct them are ones that must be addressed by the Commission in the context of its overall oversight program and applicable resource constraints. Decisions concerning resource allocation in this context will necessarily entail close assessment of the relative priorities of all programs administered by the Commie- don. We further note that seven of the rules referred to in the Report at page seven relate to clearing and settlement with respect to the Chicago Mercantile Exchange (YX4R") Globex System, which was approved in February 1989 but is not yet operational. At the time the rules were approved, the Globex system was still in development. Over the last year, Commission staff has reviewed Globex eystem documentation, visited the central computer site to investigate the physical and logical security measures undertaken to protect the system, observed system testing, and held numerous discussions with CME technical staff concerning the system, in- cluding the interface with the existing clearing system. These diecueeions have included such matters as security featuree, capacity planning, performance characteristics, and backup and recovery procedures. Additional oversight activities currently are underway with regard to the Globex system. The Commission is sensitive to the GAO's concerns in thia area and we believe that the Commission's actions referred to herein demonstrate the Commission's commitment to enhancing the overaight of automated systems. We appreciate the opportunity to provide comments on the draft and we would be happy to discuss these comments with your staff. Very truly yours, Y Chairman Page 23 GAO/IMTEG!4O-47OveraightofClearingt1ouses'AutomationIsUneven Appendix IV Major Contributors to This Report Richard J. Hillman, Assistant Director Information William D. Hadesty, Technical Assistant Director Management and Gary N. Mountjoy, Project Manager Valarie C. Jay, Staff Computer Scientist Technology Division, Washington, DC. A Garry Roemer,Deputy Project Manager New York Regional Amy S. Hutner, Staff Evaluator Office Chicago Regional David A. Arseneau, Staff Evaluator Office Y (610354) Page 24 GAO/IMTECGO47 Oversight of Clearinghouses’ Automation Is Uneven 1J.S. Gneral Accounting Office l’ost Office Box 6016 Gaithersburg, Maryland 208’77 ‘I’elephone 202-275-6241 The first five copies of each report are free. Addit,ional copies are $2.00 wwh. ‘l’hwt~ is a 25% discount on orders for 100 or more copies mailed to a single address. Orders must be prepaid by cash or by check or money order made out to the Supc!rintc?ndent of Documents. First-(.:lass Mail I~osCagt~ xt Fees hid GA<) I Permit No. G 100
Financial Markets: Oversight of Automation Used to Clear and Settle Trades Is Uneven
Published by the Government Accountability Office on 1990-07-12.
Below is a raw (and likely hideous) rendition of the original report. (PDF)